There is a tendency in the cybersecurity industry to conflate tactical changes in the threat landscape with structural and strategic imperatives that are fundamentally altering the role and responsibilities of chief information security officers (CISOs). Today’s CISOs must do more than protect systems and data from the latest threats; they must become business enablers and champions of risk-based security programs.
In a 2019 research report, Gartner analyst Tom Scholtz likened the role of the modern CISO to one of facilitator, communicator, problem solver, and business leader. “You must understand the goals of the business, quickly identify and assess the associated risks, and recommend solutions in business terms,” wrote Scholtz.
Bridging the gap between cybersecurity and the business, however, remains an aspirational goal for many who struggle to understand where to begin. At ThreatConnect, we believe the first step starts with understanding the strategic advantages of shifting to a risk-led security program.
From Whack-a-Mole to Risk-led Security
Effective cybersecurity is not a function of simply adding more budget, technology or incident responders. The U.S. federal government, for example, spends nearly $19 billion a year on cybersecurity and still falls victim to cyberattacks at all levels of sophistication. The reason is clear: The federal government, like most large businesses today, continues to play a game of whack a mole with no prioritized view of what risks matter most to the organization.
Even the best vulnerability management program isn’t really addressing cyber risk. Did you know that more than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value). Of those 13%, 7,628 (or about 47%) are scored at 10.0. The question becomes how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?
Without understanding that risk is a business issue, not a technical issue, CISOs will likely not focus their resources on the right things. Most businesses don’t know what their exposure is to any given cyber event, including what the impact could be in terms of lost revenue, response costs, and secondary loss. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.
The growing pace and sophistication of nation state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritize cyber risks within the context of our individual businesses an urgent priority for 2021. To do this, however, CISOs must be able to align security with the business and speak the language of the business.
Start With Cyber Risk Data
The modern business enterprise has more data about the level of cyber risk it faces than ever before. Today, CISOs and their technical teams have access to countless intelligence feeds about threat actors and vulnerabilities, and data coming in from literally hundreds of cybersecurity “systems.” The challenge of information overload has not only plagued analysts and incident responders, but it has also contributed to the inability of CISOs to communicate cybersecurity in terms the business can understand and act upon.
This is now changing, primarily because of the development of decision and operational support systems that direct the security team’s efforts to the most critical risks and show the business value behind those actions.
There are thousands of attacks engineered each day. Companies cannot and should not consider every threat as a risk to their business. That would overwhelm and distract from effective risk management. Rather, organizations should strategize according to the probability of an attack targeting their business.
When considering probability, the distinguishing attacker attribute is motivation. Only 11% of cyber attacks have an unknown motive (Radware). For the remaining 89% of attacks, motives are understood, ranging from financial gain to competition and political advantage. Triangulating these attack probabilities using industry data serves to filter out irrelevant threats or unlikely events, while focusing attention on the more probable cyber risks.
CISOs Must Automate & Communicate Risk Quantification
Lengthy, manual assessments and theoretical computations are not sufficient for measuring cyber risks and making intelligent business decisions. Moving forward, businesses must commit to producing timely, verifiable risk intelligence that can inform cyber risk quantification efforts, and enable timely security orchestration, automation and response.
Board members bear the responsibility to govern all areas of a corporation. Delivering a siloed, technical view of cyber misses the mark for the business-centric board. In fact, it risks creating distraction and confusion. Rather, CISOs should provide the board with information that they can compare to other enterprise risks.
Start by introducing risks from the business perspective—i.e. “The Sales process is at risk of losing $25M because the CRM system is vulnerable to a ransomware attack.” This gives the board enough information that they can immediately understand the issue.
Because the board communicates and operates at a high, strategic level, CISOs must tailor and prioritize their messaging to this level. The board doesn’t need to know about every blinking light on the security dashboard. Rather, use the business context to prioritize the handful of risks that are most urgent to the business. Through this exercise, prioritized cyber risks can be integrated into the enterprise risk register to be monitored and funded.